On Mon, Apr 26, 2021 at 01:42:50PM +0530, Pratham Pratap wrote: > Hi, > > Let's say a function driver queues a request on ep0 and before the > completion handler could run composition switch/physical disconnect happens. > This request will be in pending list since gadget_giveback is not done but > the composite driver will free the request from composite_dev_cleanup. Now, > once the next connect happens, another ep0 request is queued and while > handling the completion of that request, gadget driver might end up > accessing the old/stale request leading to list_poison since pending list is > corrupted. > > To fix this, the function drivers might want to use setup_pending(mark it to > true) flag so that when composite_dev_cleanup is run the requests are given > back from usb_ep_dequeue; clear the setup pending flag in function driver > when completion handler is run successfully. I can see this issue in almost > all the function drivers. > > Looking for suggestions and comments. Have you tried making this change and determined that it works or not? If so, please submit a patch. thanks, greg k-h
